Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/open-policy-agent/opa: CVE-2022-23628 #316

Closed
GoVulnBot opened this issue Feb 9, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/open-policy-agent/opa: CVE-2022-23628 #316

GoVulnBot opened this issue Feb 9, 2022 · 2 comments
Assignees
@neild
Labels
cve-year-2022 NeedsReport

Comments

@GoVulnBot
Copy link

In CVE-2022-23628, the reference URL github.com/open-policy-agent/opa (and possibly others) refers to something in Go.

module: github.com/open-policy-agent/opa
package: opa
description: |
    OPA is an open source, general-purpose policy engine. Under certain conditions, pretty-printing an abstract syntax tree (AST) that contains synthetic nodes could change the logic of some statements by reordering array literals. Example of policies impacted are those that parse and compare web paths. **All of these** three conditions have to be met to create an adverse effect: 1. An AST of Rego had to be **created programmatically** such that it ends up containing terms without a location (such as wildcard variables). 2. The AST had to be **pretty-printed** using the `github.com/open-policy-agent/opa/format` package. 3. The result of the pretty-printing had to be **parsed and evaluated again** via an OPA instance using the bundles, or the Golang packages. If any of these three conditions are not met, you are not affected. Notably, all three would be true if using **optimized bundles**, i.e. bundles created with `opa build -O=1` or higher. In that case, the optimizer would fulfil condition (1.), the result of that would be pretty-printed when writing the bundle to disk, fulfilling (2.). When the bundle was then used, we'd satisfy (3.). As a workaround users may disable optimization when creating bundles.
cves:
  - CVE-2022-23628
links:
    pr: https://github.com/open-policy-agent/opa/pull/3851
    commit: https://github.com/open-policy-agent/opa/commit/bfd984ddf93ef2c4963a08d4fdadae0bcf1a3717
    context:
      - https://github.com/open-policy-agent/opa/security/advisories/GHSA-hcw3-j74m-qc58

See doc/triage.md for instructions on how to triage this report.
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/392758 mentions this issue: reports: add GO-2021-0316.yaml for CVE-2022-23628

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/416454 mentions this issue: x/vulndb: add reports/GO-2022-0316.yaml for CVE-2022-23628

@GoVulnBot GoVulnBot mentioned this issue Sep 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
cve-year-2022 NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @julieqiu @gopherbot @GoVulnBot